address comment

Signed-off-by: Rita Zhang <[email protected]>

Author: ritazh

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy_test.go

@@ -21,7 +21,6 @@ import (
 	"path/filepath"
 	"reflect"
 	"slices"
-	"strings"
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
@@ -178,152 +177,24 @@ func TestBootstrapClusterRoles(t *testing.T) {
 	testObjects(t, list, "cluster-roles.yaml")
 }
 
-func TestBootstrapClusterRolesWithFeatureGateEnabled(t *testing.T) {
-	expectedDiff := map[string]string{
-		"system:monitoring": `   &v1.ClusterRole{
-			TypeMeta:   {},
-			ObjectMeta: {Name: "system:monitoring", Labels: {"kubernetes.io/bootstrapping": "rbac-defaults"}, Annotations: {"rbac.authorization.kubernetes.io/autoupdate": "true"}},
-			Rules: []v1.PolicyRule{
-				{Verbs: {"get"}, NonResourceURLs: {"/healthz", "/healthz/*", "/livez", "/livez/*", ...}},
-		+ 		{Verbs: []string{"get"}, NonResourceURLs: []string{"/flagz"}},
-		+ 		{Verbs: []string{"get"}, NonResourceURLs: []string{"/statusz"}},
-			},
-			AggregationRule: nil,
-}`,
-		"system:aggregate-to-view": `  &v1.ClusterRole{
-        	TypeMeta:   {},
-        	ObjectMeta: {Name: "system:aggregate-to-view", Labels: {"kubernetes.io/bootstrapping": "rbac-defaults", "rbac.authorization.k8s.io/aggregate-to-view": "true"}, Annotations: {"rbac.authorization.kubernetes.io/autoupdate": "true"}},
-        	Rules: []v1.PolicyRule{
-        		... // 8 identical elements
-        		{Verbs: {"get", "list", "watch"}, APIGroups: {"policy"}, Resources: {"poddisruptionbudgets", "poddisruptionbudgets/status"}},
-        		{Verbs: {"get", "list", "watch"}, APIGroups: {"networking.k8s.io"}, Resources: {"ingresses", "ingresses/status", "networkpolicies"}},
-        +		{
-        +			Verbs:     []string{"get", "list", "watch"},
-        +			APIGroups: []string{"resource.k8s.io"},
-        +			Resources: []string{"resourceclaims", "resourceclaims/status", "resourceclaimtemplates"},
-        +		},
-        	},
-        	AggregationRule: nil,
-        }
-        `,
-		"system:aggregate-to-edit": `&v1.ClusterRole{
-        	TypeMeta:   {},
-        	ObjectMeta: {Name: "system:aggregate-to-edit", Labels: {"kubernetes.io/bootstrapping": "rbac-defaults", "rbac.authorization.k8s.io/aggregate-to-edit": "true"}, Annotations: {"rbac.authorization.kubernetes.io/autoupdate": "true"}},
-        	Rules: []v1.PolicyRule{
-        		... // 11 identical elements
-        		{Verbs: {"create", "delete", "deletecollection", "patch", ...}, APIGroups: {"networking.k8s.io"}, Resources: {"ingresses", "networkpolicies"}},
-        		{Verbs: {"create", "delete", "deletecollection", "get", ...}, APIGroups: {"coordination.k8s.io"}, Resources: {"leases"}},
-        +		{
-        +			Verbs:     []string{"create", "delete", "deletecollection", "patch", "update"},
-        +			APIGroups: []string{"resource.k8s.io"},
-        +			Resources: []string{"resourceclaims", "resourceclaimtemplates"},
-        +		},
-        	},
-        	AggregationRule: nil,
-        }
-        `,
-		"system:node": `  &v1.ClusterRole{
-          	TypeMeta:   {},
-          	ObjectMeta: {Name: "system:node", Labels: {"kubernetes.io/bootstrapping": "rbac-defaults"}, Annotations: {"rbac.authorization.kubernetes.io/autoupdate": "true"}},
-          	Rules: []v1.PolicyRule{
-          		... // 20 identical elements
-          		{Verbs: {"create", "delete", "get", "patch", ...}, APIGroups: {"storage.k8s.io"}, Resources: {"csinodes"}},
-          		{Verbs: {"get", "list", "watch"}, APIGroups: {"node.k8s.io"}, Resources: {"runtimeclasses"}},
-        + 		{
-        + 			Verbs:     []string{"get"},
-        + 			APIGroups: []string{"resource.k8s.io"},
-        + 			Resources: []string{"resourceclaims"},
-        + 		},
-        + 		{
-        + 			Verbs:     []string{"deletecollection"},
-        + 			APIGroups: []string{"resource.k8s.io"},
-        + 			Resources: []string{"resourceslices"},
-        + 		},
-        + 		{
-        + 			Verbs:     []string{"get", "list", "watch"},
-        + 			APIGroups: []string{"certificates.k8s.io"},
-        + 			Resources: []string{"clustertrustbundles"},
-        + 		},
-          	},
-          	AggregationRule: nil,
-          }
-        `,
-		"system:kube-scheduler": `  &v1.ClusterRole{
-          	TypeMeta:   {},
-          	ObjectMeta: {Name: "system:kube-scheduler", Labels: {"kubernetes.io/bootstrapping": "rbac-defaults"}, Annotations: {"rbac.authorization.kubernetes.io/autoupdate": "true"}},
-          	Rules: []v1.PolicyRule{
-          		... // 18 identical elements
-          		{Verbs: {"get", "list", "watch"}, APIGroups: {"storage.k8s.io"}, Resources: {"csidrivers"}},
-          		{Verbs: {"get", "list", "watch"}, APIGroups: {"storage.k8s.io"}, Resources: {"csistoragecapacities"}},
-        + 		{
-        + 			Verbs:     []string{"get", "list", "watch"},
-        + 			APIGroups: []string{"resource.k8s.io"},
-        +			Resources: []string{"deviceclasses"},
-        + 		},
-        + 		{
-        + 			Verbs:     []string{"get", "list", "patch", "update", "watch"},
-        + 			APIGroups: []string{"resource.k8s.io"},
-        + 			Resources: []string{"resourceclaims"},
-        + 		},
-        + 		{
-        + 			Verbs:     []string{"get", "list", "patch", "update", "watch"},
-        + 			APIGroups: []string{"resource.k8s.io"},
-        + 			Resources: []string{"resourceclaims/status"},
-        + 		},
-        + 		{
-        + 			Verbs:     []string{"get", "list", "patch", "update", "watch"},
-        + 			APIGroups: []string{""},
-        + 			Resources: []string{"pods/finalizers"},
-        + 		},
-        + 		{
-        + 			Verbs:     []string{"get", "list", "watch"},
-        + 			APIGroups: []string{"resource.k8s.io"},
-        + 			Resources: []string{"resourceslices"},
-        + 		},
-          	},
-          	AggregationRule: nil,
-          }
-        `,
-		"system:cluster-trust-bundle-discovery": `  any(
-        + 	s"&ClusterRole{ObjectMeta:{system:cluster-trust-bundle-discovery      0 0001-01-01 00:00:00 +0000 UTC <nil> <nil> map[kubernetes.io/bootstrapping:rbac-defaults] map[rbac.authorization.kubernetes.io/autoupdate:true] [] [] []},Rules:[]PolicyRule{PolicyRule{Ver"...,
-          )
-        `,
-	}
-
-	names := sets.NewString()
-	roles := map[string]runtime.Object{}
-	bootstrapRoles := bootstrappolicy.ClusterRoles()
-	for i := range bootstrapRoles {
-		role := bootstrapRoles[i]
-		names.Insert(role.Name)
-		roles[role.Name] = &role
-	}
-
+func TestBootstrapClusterRolesWithFeatureGatesEnabled(t *testing.T) {
 	featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, "AllAlpha", true)
 	featuregatetesting.SetFeatureGateDuringTest(t, feature.DefaultFeatureGate, "AllBeta", true)
 
-	bootstrapRoles = bootstrappolicy.ClusterRoles()
+	bootstrapRoles := bootstrappolicy.ClusterRoles()
 	featureGateList := &api.List{}
 	featureGateNames := sets.NewString()
 	featureGateRoles := map[string]runtime.Object{}
 	for i := range bootstrapRoles {
 		role := bootstrapRoles[i]
 		featureGateNames.Insert(role.Name)
 		featureGateRoles[role.Name] = &role
-		actualDiff := cmp.Diff(roles[role.Name], featureGateRoles[role.Name])
-		//normalize whitespace
-		expectedDiffNormalized := strings.Join(strings.Fields(expectedDiff[role.Name]), " ")
-		actualDiffNormalized := strings.Join(strings.Fields(actualDiff), " ")
-		if expectedDiffNormalized != actualDiffNormalized {
-			t.Errorf("RoleName '%s', diff between regular and feature gate. Expected: [%s], Actual: [%s]", role.Name, expectedDiff[role.Name], actualDiff)
-		}
 	}
 	for _, featureGateName := range featureGateNames.List() {
 		featureGateList.Items = append(featureGateList.Items, featureGateRoles[featureGateName])
 	}
 
 	testObjects(t, featureGateList, "cluster-roles-featuregates.yaml")
-
 }
 
 func TestBootstrapClusterRoleBindings(t *testing.T) {

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles-featuregates.yaml

@@ -1235,6 +1235,12 @@ items:
     - get
     - list
     - watch
+  - apiGroups:
+    - ""
+    resources:
+    - serviceaccounts
+    verbs:
+    - get
 - apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata: